Class CredentialProvider
Credential providers are functions that accept no arguments and return a
promise that is fulfilled with an Aws\Credentials\CredentialsInterface
or rejected with an Aws\Exception\CredentialsException
.
use Aws\Credentials\CredentialProvider; $provider = CredentialProvider::defaultProvider(); // Returns a CredentialsInterface or throws. $creds = $provider()->wait();
Credential providers can be composed to create credentials using conditional logic that can create different credentials in different environments. You can compose multiple providers into a single provider using Aws\Credentials\CredentialProvider::chain. This function accepts providers as variadic arguments and returns a new function that will invoke each provider until a successful set of credentials is returned.
// First try an INI file at this location. $a = CredentialProvider::ini(null, '/path/to/file.ini'); // Then try an INI file at this location. $b = CredentialProvider::ini(null, '/path/to/other-file.ini'); // Then try loading from environment variables. $c = CredentialProvider::env(); // Combine the three providers together. $composed = CredentialProvider::chain($a, $b, $c); // Returns a promise that is fulfilled with credentials or throws. $promise = $composed(); // Wait on the credentials to resolve. $creds = $promise->wait();
Methods Summary
-
static
defaultProvider ( array $config = [] )
Create a default credential provider that first checks for environment variables, then checks for assumed role via web identity, then checks for cached SSO credentials from the CLI, then check for credential_process in the "default" profile in ~/.aws/credentials, then checks for the "default" profile in ~/.aws/credentials, then for credential_process in the "default profile" profile in ~/.aws/config, then checks for "profile default" profile in ~/.aws/config (which is the default profile of AWS CLI), then tries to make a GET Request to fetch credentials if ECS environment variable is presented, finally checks for EC2 instance profile credentials.
-
static
fromCredentials ( Aws\Credentials\CredentialsInterface $creds )
Create a credential provider function from a set of static credentials.
-
static
chain ( )
Creates an aggregate credentials provider that invokes the provided variadic providers one after the other until a provider returns credentials.
-
static
memoize ( callable $provider )
Wraps a credential provider and caches previously provided credentials.
-
static
cache ( callable $provider, Aws\CacheInterface $cache, string|null $cacheKey = null )
Wraps a credential provider and saves provided credentials in an instance of Aws\CacheInterface. Forwards calls when no credentials found in cache and updates cache with the results.
-
static
env ( )
Provider that creates credentials from environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
-
static
instanceProfile ( array $config = [] )
Credential provider that creates credentials using instance profile credentials.
-
static
sso ( $ssoProfileName = 'default', $filename = null, $config = [] )
Credential provider that retrieves cached SSO credentials from the CLI
-
static
ecsCredentials ( array $config = [] )
Credential provider that creates credentials using ecs credentials by a GET request, whose uri is specified by environment variable
-
static
assumeRole ( array $config = [] )
Credential provider that creates credentials using assume role
-
static
assumeRoleWithWebIdentityCredentialProvider ( array $config = [] )
Credential provider that creates credentials by assuming role from a Web Identity Token
-
static
ini ( string|null $profile = null, string|null $filename = null, array $config = [] )
Credentials provider that creates credentials using an ini file stored in the current user's home directory. A source can be provided in this file for assuming a role using the credential_source config option.
-
static
process ( string|null $profile = null, string|null $filename = null )
Credentials provider that creates credentials using a process configured in ini file stored in the current user's home directory.
- static getCredentialsFromSource ( $profileName = '', $filename = '', $config = [] )
- static shouldUseEcs ( )
Methods Details
static callable defaultProvider ( array $config = [] )
Create a default credential provider that first checks for environment variables, then checks for assumed role via web identity, then checks for cached SSO credentials from the CLI, then check for credential_process in the "default" profile in ~/.aws/credentials, then checks for the "default" profile in ~/.aws/credentials, then for credential_process in the "default profile" profile in ~/.aws/config, then checks for "profile default" profile in ~/.aws/config (which is the default profile of AWS CLI), then tries to make a GET Request to fetch credentials if ECS environment variable is presented, finally checks for EC2 instance profile credentials.
This provider is automatically wrapped in a memoize function that caches previously provided credentials.
Parameters
array | $config = [] | Optional array of ecs/instance profile credentials provider options. |
Returns
callable |
static
callable
fromCredentials (
Aws\Credentials\CredentialsInterface
$creds
)
Create a credential provider function from a set of static credentials.
Parameters
Aws\Credentials\CredentialsInterface |
$creds |
Returns
callable |
static callable chain ( )
Creates an aggregate credentials provider that invokes the provided variadic providers one after the other until a provider returns credentials.
Returns
callable |
static callable memoize ( callable $provider )
Wraps a credential provider and caches previously provided credentials.
Ensures that cached credentials are refreshed when they expire.
Parameters
callable | $provider | Credentials provider function to wrap. |
Returns
callable |
static
callable
cache (
callable
$provider,
Aws\CacheInterface
$cache,
string|null
$cacheKey = null
)
Wraps a credential provider and saves provided credentials in an instance of Aws\CacheInterface. Forwards calls when no credentials found in cache and updates cache with the results.
Parameters
callable | $provider | Credentials provider function to wrap |
Aws\CacheInterface |
$cache | Cache to store credentials |
string|null | $cacheKey = null | (optional) Cache key to use |
Returns
callable |
static callable env ( )
Provider that creates credentials from environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
Returns
callable |
static
Aws\Credentials\InstanceProfileProvider
instanceProfile (
array
$config = []
)
Credential provider that creates credentials using instance profile credentials.
Parameters
array | $config = [] | Array of configuration data. |
Returns
Aws\Credentials\InstanceProfileProvider |
See
static callable sso ( $ssoProfileName = 'default', $filename = null, $config = [] )
Credential provider that retrieves cached SSO credentials from the CLI
Returns
callable |
static
Aws\Credentials\EcsCredentialProvider
ecsCredentials (
array
$config = []
)
Credential provider that creates credentials using ecs credentials by a GET request, whose uri is specified by environment variable
Parameters
array | $config = [] | Array of configuration data. |
Returns
Aws\Credentials\EcsCredentialProvider |
See
static callable assumeRole ( array $config = [] )
Credential provider that creates credentials using assume role
Parameters
array | $config = [] | Array of configuration data |
Returns
callable |
See
static callable assumeRoleWithWebIdentityCredentialProvider ( array $config = [] )
Credential provider that creates credentials by assuming role from a Web Identity Token
Parameters
array | $config = [] | Array of configuration data |
Returns
callable |
See
Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider for $config details.
static callable ini ( string|null $profile = null, string|null $filename = null, array $config = [] )
Credentials provider that creates credentials using an ini file stored in the current user's home directory. A source can be provided in this file for assuming a role using the credential_source config option.
Parameters
string|null | $profile = null | Profile to use. If not specified will use the "default" profile in "~/.aws/credentials". |
string|null | $filename = null | If provided, uses a custom filename rather than looking in the home directory. |
array | $config = [] | If provided, may contain the following: preferStaticCredentials: If true, prefer static credentials to role_arn if both are present disableAssumeRole: If true, disable support for roles that assume an IAM role. If true and role profile is selected, an error is raised. stsClient: StsClient used to assume role specified in profile |
Returns
callable |
static callable process ( string|null $profile = null, string|null $filename = null )
Credentials provider that creates credentials using a process configured in ini file stored in the current user's home directory.
Parameters
string|null | $profile = null | Profile to use. If not specified will use the "default" profile in "~/.aws/credentials". |
string|null | $filename = null | If provided, uses a custom filename rather than looking in the home directory. |
Returns
callable |
static getCredentialsFromSource ( $profileName = '', $filename = '', $config = [] )
static boolean shouldUseEcs ( )
Returns
boolean |
Constants summary
string |
ENV_ARN
|
#
'AWS_ROLE_ARN'
|
string |
ENV_KEY
|
#
'AWS_ACCESS_KEY_ID'
|
string |
ENV_PROFILE
|
#
'AWS_PROFILE'
|
string |
ENV_ROLE_SESSION_NAME
|
#
'AWS_ROLE_SESSION_NAME'
|
string |
ENV_SECRET
|
#
'AWS_SECRET_ACCESS_KEY'
|
string |
ENV_SESSION
|
#
'AWS_SESSION_TOKEN'
|
string |
ENV_TOKEN_FILE
|
#
'AWS_WEB_IDENTITY_TOKEN_FILE'
|
string |
ENV_SHARED_CREDENTIALS_FILE
|
#
'AWS_SHARED_CREDENTIALS_FILE'
|